Closed sync-by-unito[bot] closed 2 years ago
➤ karen.a.taggart commented:
question from Adrian Velonis
Hi Karen, can you clarify what docs needs to do for this ticket "[XSDLookUp] Updated entity resolver to not fallback to network lookup when xsd is not found"? https://datical.atlassian.net/browse/PD-2497 ( https://datical.atlassian.net/browse/PD-2497|smart-link ) Do I just have to update the header of our XML changelogs to this?
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ext="http://www.liquibase.org/xml/ns/dbchangelog-ext" xmlns:pro="http://www.liquibase.org/xml/ns/pro" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-4.8.0.xsd http://www.liquibase.org/xml/ns/dbchangelog-ext http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-ext.xsd http://www.liquibase.org/xml/ns/pro http://www.liquibase.org/xml/ns/pro/liquibase-pro-4.8.0.xsd">
➤ karen.a.taggart commented:
Nathan Voxland can you take a look at this and help out Adrian Velonis ? I have to admit I am not following how the PR changed the end user experience and how that should be reflected in the user docs.
Feel free of course to just submit a docs PR with your draft. If you do that, please just let me know and I will close this ticket.
Thanks!
KT
➤ Nathan Voxland commented:
We don’t have to change any of our headers or anything.
What changed is that if a user is referencing an XSD other than one of ours, Liquibase will no longer automatically download the XSD from the internet and use it.
Instead, they will get an error of Unable to resolve xml entity
Their options are either:
So normal Liquibase usage isn’t impacted. It’s only people who are using custom or extension XSDs which aren’t already included in their local jars.
➤ Erzsebet Carmean commented:
Nataliya Melnyk, hello -
This change prevents Liquibase from looking on the internet for a missing XSD files referenced in a changelog. This is useful when there is no internet connection from the database or if there is an outage on the Liquibase site hosting the XSDs. This change is also more secure, as it leverages the FEATURE_SECURE_PROCESSING setting in the XML parser to limit the ability to “look anywhere” for files. This XML parser parameter is configured in Liquibase using the Liquibase SECURE_PROCESSING global parameter. The default for for SECURE_PROCESSING is true, which stops Liquibase from looking on the internet for missing XSDs. The SECURE_PROCESSING can be disabled using any of the normal Liquibase configuration options.
Global Parameter : --secure-parsing=PARAM See liquibase --help for details on how use JAVA_OPTS, liquibase.properties file or environment variables to change the setting of liquibase.secure-parsing.
This comment in the PR has my test notes: https://github.com/liquibase/liquibase/pull/2558#issuecomment-1055596870 ( https://github.com/liquibase/liquibase/pull/2558#issuecomment-1055596870|smart-link )
CC karen.a.taggart
➤ karen.a.taggart commented:
Adrian Velonis see below from Erzsebet Carmean and Nathan Voxland Thanks!
https://github.com/liquibase/liquibase/pull/2558
┆Issue is synchronized with this Jira Story by Unito